Toggle light / dark theme

Last year, Google began experimenting with hardware-based schemes for user-authentication, while Apple added two factor authentication to iCloud and Apple ID users. They began sending a verification code to users via a mobile number registered in advance.

Security pundits know that two factor authentication is more secure than simple passwords. As a refresher, “Factors” are typically described like this:

  • Something that you know (a password — or even better, a formula)
  • Something that you have (Secure ID token or code sent to cell phone)
  • Something that you are (a biometric: fingerprint, voice, face, etc.)

The Google project may be just another method of factor #2. In fact, because it is small (easily misplaced or stolen), it simplifies but does not improve on security. I suggest a radical and reliable method of authentication. It’s not new and it’s not my idea…

password_key

Back in 1999, Hugh Davies (no relation to Ellery) was awarded a patent on a novel form of access and authentication. It capitalizes on the human ability to quickly pick a familiar face out of a crowd. Just as with passwords, it uses something that you know to log in, purchase, or access a secure service. But unlike passwords, the “combination” changes with every use, and yet the user needn’t learn anything new.

Hoping to commercialize the technique, Davies joined another Brit, Paul Barrett, and formed Passfaces (originally, Real User Corporation). Incidentally, it is quite difficult to research Passfaces and its history. Web searches for “face recognition”, “access”, “authentication” and “patent” yield results for a more recent development in which a smart phone recognizes the face of authorized users, rather than users recognizing familiar faces. (Google, Samsung and Apple are all beginning to use face recognition on mobile devices). In fact, the Passfaces method is quicker, uses less resources and is far more reliable.

I have long been disappointed and surprised that the technique has never caught on. It is a terrific method with few drawbacks. Used alone, it is better than other methods of 1 or 2 factor authentication. Add a second factor and it is remarkably secure and robust.

How it Works:

Passfaces-1When accessing or authenticating (for example, logging into a corporate VPN or completing a credit card purchase), you are presented with a tiled screen of individual faces. I prefer a big 15×5 grid = 75 images, but Passfaces uses sequential screens of just 9 faces arranged like the number pad on an ATM.

Just click on a few familiar faces. That’s all! Oddly, Passfaces discourages the use of known faces. Their research, with which I respectfully disagree, suggests that users should train themselves to recognize a few faces from the company’s stock library. In my preferred embodiment, users upload a dozen photos of people they know at a glance—preferably, people that they knew in the past: A 3rd grade music teacher, a childhood friend who moved away, the face on an oil painting that hung in the basement until Dad tossed it in the fireplace. Now, add the boss who fired you from your first job, the prom queen who dumped you for a football jock, and that very odd doorman who stood in front of a hotel in your neighborhood for 20 years. Photos of various quality and resolution, but all scaled to fit the grid. Some are black & white, perhaps scanned from an old yearbook.

Using my preferred example of 75 faces, suppose that 5 or 6 of the images are from your personal shoe box of old photos. The rest are randomly inserted from all over the internet. How long would take you to click on 3 of the 5 or 6 familiar faces in front of you? (Remember: They are old acquaintances. Even a spouse would have difficulty picking out 3 faces from your early life—as they looked back then). Surprise! You will click them instantly, especially on a touch screen. You won’t need even a second to study the collage. They jump off the screen because your brain perceives a familiar face very differently and faster than anything else.

Of course, the photo array is mixed in different ways for each authentication and it incorporates different friends from your original upload. In fact, if a user sees the same faces in the next few transactions, it is a red flag. Someone has spied on the process, perhaps with a local camera or screen logger. In legitimate use, the same faces are not recycled for many days and are never shown together on the same screen.

Facebook uses a variant of this technique when their servers sense your attempt to login from new equipment or from another part of the country. They show you individuals that you have friended, but that were uploaded and tagged by other users. If you cannot identify a few of your own friends, especially the ones with which you have frequent social contact, than it’s likely that your login attempt deserves more scrutiny.

I don’t know why Passfaces or something like it has failed to catch fire. Perhaps the inventor refuses to license the method at reasonable cost or perhaps he cannot find a visionary VC or angel consortium to more aggressively promote it. If I had invented and patented facial-array authentication, I would attempt to market the patent for a short time focusing on very large network companies like Microsoft, Google, Cisco or Akamai. If I could not license or sell the patent quickly, I would hesitate to go it alone. (I have tried that route too many times). Instead, I would place it in the public domain and profit by being the first, and most skilled practitioner at deployment. I would train and certify others and consult to organizations that use or commercialize the technology.

saira.maskI used this approach in promoting my own patent which describes an economic barrier to spam (after failing to exploit the invention with my own company). Later, I started with this approach in my research on Blind Signaling and Response and on Reverse Distributed Data Clouds. I recognized that rapid adoption of transformative technology like facial grid authentication, can be thwarted by defensive IP practice.

« Branching somewhat off topic, a developmental biologist at Imperial College in London, has published a proof that Saira Mohan has the world’s most beautiful face, irrespective of the observer’s race. That’s Saira at left. Her mother is French/Irish and her father is Hindoo.

__________
Philip Raymond is Co-Chair of The Cryptocurrency Standards Association [crypsa.org] and
chief editor at AWildDuck.com. He consults to cloud storage vendors in areas of security, pri–
vacy & network architecture, but has no ties to Passfaces or the authentication community.

Toss Your Credit Cards and Other Security Musings – By: Sherri Hammons

“Let’s post our credit card numbers and even those pesky CSV codes on the back. (Better yet, let’s just do away with credit cards altogether because, at the end of that day, it’s just a bank taking on the risk that you’ll pay back a loan.) Let’s post our social security numbers and our driver’s licenses. Let’s post everything. Overnight, the incentives to steal your data are wiped off the face of the earth. The dark databases are worth zero.”

Last year, my personal credit cards and banks were breached five times. Last week, another personal breach. Each time, I was informed by email and snail mail, a new credit card or bank account was issued, and I bought more monitoring for my credit or, in the case of one of the breaches, the company that was breached bought additional monitoring. About the fourth time, I started wondering why our industry doesn’t do something else. The traditional IT security model is dead, but we just keep propping up the body. Hope has become our strategy in the cyber security war. Read more

Ours is a world of static objects, cut, cast, or forged for specific tasks. But let’s say you opened an Ikea box, and the desk inside assembled itself. Or your water pipes shrank as the pressure decreased: no more weak showers, less wasted water. This is the 4D-printed future, and labs are already striving to make it a reality.

The tech builds on 3-D printing—with the added fourth dimension of time, across which objects transform. Skylar Tibbits, founder of MIT’s Self-Assembly Lab, coined the term “4D printing” in a 2013 TED Talk and showed how a straight plastic strand folded into the letters M, I, T when dropped in water.

Read more

http://cdn-imgs-mag.aeon.co/images/2015/06/New-droplet-3-GS133154-1024x641.jpg

“Feynman argued that the laws of physics do not exhibit a unique, logical structure, such that one set of statements is more fundamental than another. Instead of a hierarchical ‘Euclidean conception’ of theories, Feynman argued that physics follows what he calls the ‘Babylonian tradition’, according to which the principles of physics provide us with an interconnected structure with no unique, context-independent starting point for our derivations. Given such structures, Feynman said: ‘I am never quite sure of where I am supposed to begin or where I am supposed to end.’ I want to suggest that we should think of causal structures in physics in the very same way.” Read more

[from Engadget]
black_hole_art
Black holes are, by definition, impossible to see by conventional methods and are often further obscured by thick blankets of dust or gas. But that’s not an issue for NASA’s Nuclear Spectroscopic Telescope Array (NuSTAR). It can peek through the obscuring layers and monitor the black holes via the high-energy X-rays that they emit. And, after a recent survey that spotted five previously unknown supermassive black holes in the centers of various galaxies, NASA researchers now think there could be millions of of them dotting the Universe like the holes of an intergalactic colander.

“Thanks to NuSTAR, for the first time, we have been able to clearly identify these hidden monsters that are predicted to be there, but have previously been elusive because of their surrounding cocoons of material,” said George Lansbury of Durham University in a statement. “Although we have only detected five of these hidden supermassive black holes, when we extrapolate our results across the whole universe, then the predicted numbers are huge and in agreement with what we would expect to see.” The team’s research has been accepted for publication in The Astrophysical Journal.